Clik here to view.
M57.biz Practice Investigation
INTRODUCTION AND SETUPThe first image my study partner ( http://computerforensicgraduate.wordpress.com/ ) and I decided on is located here:http://digitalcorpora.org/corpora/scenarios/m57-jeanIts an...
View ArticleClik here to view.
M57.biz Practice Investigation (Pt 3 - Final)
RESULTS AND LEARNING OUTCOMESWelcome to the M57 entry where I present what I learnt during this investigation. Due to its ongoing use, I have removed my results/analysis section. I have also removed...
View ArticleClik here to view.
Don't Let This Happen To YOU !
Here is list of interview questions compiled by Libby - my Computer Forensics study partner. I've added a few more towards the end. They were sourced from questions posted on websites and questions...
View ArticleClik here to view.
Using SIFT to Crack a Windows (XP) Password from a Memory Dump
Introduction:Recently, I was thinking about writing a blog entry on Volatility but then found out that SketchyMoose has done an awesome job of covering it already (in a Windows environment). Thinking...
View ArticleClik here to view.
Using SIFT to Crack a Windows (XP) Password from a Forensic Image
In the previous post, we focused on retrieving Windows login passwords from a memory dump using Volatility.But what happens if you don't have a memory dump / only have a forensic image of the hard...
View ArticleClik here to view.
Using SIFT and ophcrack to Crack a Windows (XP) Password
First, A Note on Windows Passwords ...Thought I should include some relevant theory rather than dive striaght in as I have been doing ...Jesper M. Johansson has written an excellent PowerPoint...
View ArticleClik here to view.
Writing a CCleaner RegRipper Plugin Part 1
IntroductionHello again!I thought I would do another multi-part post - this time we will use SysInternals ProcMon (v 2.96) monitoring software to investigate the CCleaner (v 3.14.1616) Windows Cleaner...
View ArticleClik here to view.
Writing a CCleaner RegRipper Plugin Part 2
Welcome Back Viewers!We now continue with our scheduled programming ... heh-heh...About RegRipper (on SIFT V2.12)RegRipper is written in Perl and is included with the SIFT VM. There are 3 main...
View ArticleClik here to view.
Diving in to Perl with GeoTags and GoogleMaps
Girl, Unallocated recently posted a guide to plotting geotag data using exiftool and Google Earthhere.GoogleMaps also has some info about how to plot lat / long coordinates along with an info box on a...
View ArticleClik here to view.
Making "exif2map.pl" recursively search
Recently Doppiamunnezza commented that it might be helpful if we could point the exif2map.pl script at a folder and have it automagically search all files below that for EXIF geotag data.Being the...
View ArticleClik here to view.
(Monkey) Carvings of Unknown File Types with Scalpel / Foremost on SIFT
Thierry13 recently requested we look into file carving - specifically, how do we carve for a non-standard / unknown files. For the scalpel and foremost carving utilities (both on SIFT) it's monkey's...
View ArticleClik here to view.
Some Attempted Forensic Monkey Humour
I thought I would take a break from all the usual techno-babble and post some questionable (but safe for work) humour/entertainment.The first item is a GIF I made up for your exclusive viewing...
View ArticleClik here to view.
M57 Jean Investigation Oversight/Apology
It has come to my attention that the M57 Jean practice case is still being used as a teaching aid so consequently I will be removing my plan of attack post (#2) and heavily redacting my conclusions...
View ArticleClik here to view.
The (Wannabe) Dark Lord of the SIFT
Obi-Wan has taught you well?Recently, I deleted some posts relating to the M57.biz Jean scenario. However, I also think that there was some helpful (non M57 specific) information on using various SIFT...
View ArticleClik here to view.
Detecting Spoofed Emails with SIFT's pffexport and some Perl scripting
One likely issue facing today's forensicator is the sheer number of emails people keep in their Inboxes.These numbers can grow at a phenomenal rate especially if the user subscribes to multiple mailing...
View ArticleClik here to view.
Inspecting Registry key differences on SIFT with "regdump.pl" and Meld
Recently, I read some favourable reviews (on the Ubuntu forum) about a open source diff program called meld. Commonly used in programming, diff programs are used to compare 2 separate files.There is an...
View ArticleClik here to view.
Quick Tutorial On Re-using My Perl Scripts
Hi All,What a busy week for this little monkey!A fellow monkey recently contacted me about some problems they had getting my "exif2map.pl" script to work on SIFT. Specifically, they were getting...
View ArticleClik here to view.
Using Perl to View an SQLite Database
Warning: This is one of my longer rambles posts and there's not many pics either.According to the SQLite website, SQLite is an open source, cross-platform database library that is used in software...
View ArticleClik here to view.
Perl Parsing an SQLite Database File Header
Previously on Cheeky4n6Monkey ... we used the Perl DBI package to retrieve the contents of Firefox's (v3.5.17 and v11.0) "places.sqlite" and "downloads.sqlite". A secondary discovery was that depending...
View ArticleClik here to view.
Using Perl to Copy AppID Data from HTML to an SQLite Database
Someday You'll Find It ... The Jumplist Connection!So all this talk of Windows 7 Jumplists (eg here and here) got me thinking - What if you needed to look up an AppID and didn't have access to the...
View Article